A network security application and/or device, such as a firewall or intrusion detection system (IDS), can be used to observe network traffic for suspicious activity, such as activity associated with a worm or a “bot”. A bot is a software agent configured to cause a host to perform autonomously some task, typically without requiring action nor even knowledge or awareness of the existence of the bot on the part of a user of the host. An agent that periodically checks for updates to an application is an example of a bot. Malicious users such as hackers have configured bots to perform tasks associated with exploits such as distributed denial of service (DoS) attacks, e.g., to cause many compromised hosts to send HTTP or other traffic to a targeted host at the same time, or to propagate worms and/or other malicious code. In some cases, malicious users have configured bots to connect to a specified chat or instant messaging channel, to enable the malicious user to communicate nearly simultaneously with his/her bots, e.g., to trigger an attack, without requiring that the malicious user know which hosts have been (and/or remain) compromised and/or having to communicate individually with each such host. When a network security device observes network traffic that is suspect, it is often difficult to determine whether to block the suspicious traffic because of the risk of a false positive. For example, suppose that a host connecting to an Internet Relay Chat (IRC) server and joining a channel is observed. This could be indicative of a bot or it could be a legitimate user. In another example, a sudden spike in traffic from an endpoint that resembles a scan is observed. If it is malware scanning the network, the host should be dropped from the network. If it is just an authorized user running a diagnostic or other tool, the host should not be dropped.
Under existing approaches, typically a port or protocol associated with suspicious traffic is blocked, in some cases too often resulting in legitimate traffic being blocked, or a local endpoint agent installed on the host with which the suspicious traffic is associated is used to verify the traffic. However, it is often not possible or practical to block all access to a port or to have agents running on all hosts. Therefore, an improved method of monitoring traffic and determining whether suspicious traffic is legitimate would be useful.